EPA
Event Detection Systems
The Environmental Protection Agency (EPA) conducts several technical measures in order to manage one of the most crucial critical infrastructures in the United States-the Water Management System. EPA manages an Event Detection System challenge on an ongoing basis, which aims to discover applicable technical resources for maintaining effective operations in Water Management Systems, and address solutions to any vulnerabilities within the critical infrastructure. EPA wants its staff members to develop Contaminant Warning Systems (CWS) that can identify contaminants within the water supply in real-time. The organization seeks to gather research and test potential solutions in order to adopt technologies that will reduce or eliminate the possibility of users receiving contaminated water. From a period between 3 to 5 months, EPA gathers data from up to six sensors attached to monitoring stations around the United States. The data includes WQ parameter values and operational indicators like active pumps, level of water in tanks and valves. Each sensor possesses a different value for the collected data, and EPA collects baseline data for each station. EPA evaluates the baseline data in order to discover information regarding the prospect of contamination of the water supply. EPA has compiled a list of 14 simulated contaminants, each may appear within certain intervals of the testing data, which ultimately describe the rise, fall and length of peak concentration and the total duration of attack. Collecting data on the 14 simulated contaminants helps the EPA devise strategy for protecting the critical infrastructures that manage the water supply.
EDS Tools
In order to manage the effective use and evaluation of EDS tools, EPA has developed a software called EDDIES that is distributed to the organization’s participants; EPA has four main objectives for the EDDIES software: the execution of EDS tools in interaction with SCADA systems on a real-time basis (collecting data from sensors, analyzing them by the EDS and sending the response back to the SCADA tool to be viewed by the utility staff), using stored data to evaluate EDS tools in an offline environment, effective management of datasets and simulations, the development of new testing datasets through the process of injecting contaminants. The EPA’s offering of EDS tools, specifically the software for EDDIES, creates an environment in which participants can collect baseline data and the prospect of creating simulated contaminations that ultimately give users the ability to learn which tools should be applied in order to manage the water supply and maintain the efficiency of the critical infrastructure.
ADWICE
ADWICE is another example of an anomaly detector created by the EPA in order to manage the water supply. The detector users clusters which model the critical infrastructure’s normal behavior; clusters are made up of a set of points and are represented through a summary denoted cluster feature (CF). The points represent multidimensional numeric vectors; each dimension represents a feature in data. CF contains three components: the number of points in the cluster, the sum of the points in the cluster, and the sum of the squares of the points. These clusters can be evaluated for the creations of a normality model and during threat detection. All of the information found within clusters are collected, evaluated and represented within a tree structure, which creates a new CF that is a sum of all the collected clusters. ADWICE uses a variation of the original BIRCH data mining algorithm which has a proven track record of helping the detector gather information at a fast rate and efficiently gathering information from clusters during the detection process. ADWICE represents the most effective strategy for discovering anomalies within networks managing the water system.
Training
Training is the first step of the anomaly detection process as it helps to create a normality model that can assist cybersecurity professionals in locating abnormalities within critical infrastructures. Due to ADWICE having an approach of pure anomaly detection, which results in training data being unaffected by attacks. EPA ensures that the organization provides a significant amount of time in order to capture the appropriate amount of training data. EPA frequently divides baseline data into two parts: the first is used to train the anomaly detector, and the second is processed to add contamination. In order to discover how the anomaly detector reacts to the effects of each contaminant, the EPA evaluates 14 different testing datasets, highlighting each one with a different contaminant in the same timesteps, creating the same profile for each contaminant in order to conduct a comparative study. During the training process, cybersecurity professionals decide on feature selection in order to pinpoint which parameters to consider for anomaly detection. The cybersecurity professional must decide between evaluating common WQ parameters or Station-Specific Features. The security professionals can collect their observations over time and compare specific features according to the times and dates in which they were evaluated during the training process.
Detection
Cybersecurity professionals gather information from the six stations and decide which particular station’s information will be evaluated as a part of the detection process. The process involves adding contaminants to specific station’s data in order to generate testing data sets. This results in the security professional indicating which behaviors are normal according to the various timesteps and where potential anomalous information could appear and interfere with operational functionality of the water system. Security professionals can use a formula to determine the detection rate and number of false positives present within the datasets. One of the most important data points during the detection process involves the tracking of detection latency in order to discover how long of time has passed since the initiation of the anomaly and the amount of time it takes for the water system’s tool to address the intrusion to alarm systems and various forms of intrusion detection prevention. A significant software implementation by the EPA, the CANARY tool, reads data from sensors and considers historical data to detect events. EPA is constantly improving upon its software in order to provide participants with the most accurate methods of collecting information anomaly detection.
Vulnerabilities
The vulnerabilities present within water systems are categorized with two terms: hydraulic faults and quality faults. Hydraulic faults refer to broken pipes, pump faults, etc. Hydraulic faults can causes economic loss and water quality deterioration. Water quality faults refers to the intentional or accidental injection of contaminant elements which cause severe risks to populations. Contamination Warning Systems are needed in order to identify and respond to quality faults within water systems. Another vulnerability concerns the technical and mechanical makeup of the water system as a critical infrastructure. Since the SCADA controls are connected to a network, there is always the possibility of a threat agent presenting itself as one of the various methods of cyberattack. Also the mechanical features of the water systems can break down and have an adverse effect on populations. There is also a high cost in developing and maintaining sensors which monitor water quality; therefore, security professionals must decide on the strategic location of the sensors in order to reduce costs yet maintain high functionality. While more sensors would add extra security to the water system as a critical infrastructure, targeting the main sensors that exist could cause a negative impact on wide geographic locations within countries. One of the most important areas of security would be that of the SCADA controls, as any cyberattack could alter or destroy the tools used to manage the water system and prevent security professionals from protecting against contamination.
Policies, politics, etc.
Since the water system is managed by private corporations, much like many other forms of critical infrastructures, there is not a broad strategy for introducing security policies to the industry on a state or national basis. From the administrations of President Clinton, Bush and Obama, there has not been a push to encourage state governments to adopt regulation for the water system or set Federal policies in which all private corporations follow when managing the water system. The reason for the lack of regulation is that it is hard for politicians to run the on idea on both the Democratic and Republican sides of Congress. In the absence of regulation, the government typically uses the Department of Homeland Security to provide recommendations on how the private sector should maintain water systems and other critical infrastructures. I think that discovering anomalies and protecting the SCADA controls represents an ongoing strategy that needs to occur by the private companies managing the water system. Since the potential of negative impact by these anomalies creating attacks on SCADA controls could cause significant loss of life and spread of illness throughout countries, I think it would be helpful for the Federal government to identify the most effective strategies for maintaining and protecting the security of the water system and provide methods for private companies to implement the paradigm as a way to promote the interest of national security throughout the country.